binary edwards curves
play

Binary Edwards Curves Daniel J. Bernstein Tanja Lange University - PowerPoint PPT Presentation

Jun 01, 2023 •146 likes •428 views

Binary Edwards Curves Daniel J. Bernstein Tanja Lange University of Illinois at Chicago and Technische Universiteit Eindhoven djb@cr.yp.to tanja@hyperelliptic.org 12.08.2008 joint work with Reza Rezaeian Farashahi, Eindhoven D. J. Bernstein

  1. Binary Edwards Curves Daniel J. Bernstein Tanja Lange University of Illinois at Chicago and Technische Universiteit Eindhoven djb@cr.yp.to tanja@hyperelliptic.org 12.08.2008 joint work with Reza Rezaeian Farashahi, Eindhoven D. J. Bernstein & T. Lange & R. Rezaeian Farashahi cr.yp.to/papers.html#edwards2 – p. 1

  2. Harold M. Edwards Edwards generalized single example x 2 + y 2 = 1 − x 2 y 2 by Euler/Gauss to whole class of curves. Shows that – after some field extensions – every elliptic curve over field k of odd characteristic is birationally equivalent to a curve of the form x 2 + y 2 = a 2 (1 + x 2 y 2 ) , a 5 � = a Edwards gives addition law for this generalized form, shows equivalence with Weierstrass form, proves addition law, gives theta parameterization . . . in his paper Bulletin of the AMS, 44 , 393–422, 2007 D. J. Bernstein & T. Lange & R. Rezaeian Farashahi cr.yp.to/papers.html#edwards2 – p. 2

  3. � � How to add on an Edwards curve y Let k be a field with 2 � = 0 . Let d ∈ k with d � = 0 , 1 . Edwards curve: { ( x, y ) ∈ k × k | x 2 + y 2 = 1 + dx 2 y 2 } Generalization covers more curves over k . Associative operation on points x ( x 1 , y 1 ) + ( x 2 , y 2 ) = ( x 3 , y 3 ) defined by Edwards addition law x 1 y 2 + y 1 x 2 y 1 y 2 − x 1 x 2 x 3 = and y 3 = . 1 + dx 1 x 2 y 1 y 2 1 − dx 1 x 2 y 1 y 2 Neutral element is (0 , 1) ; this is an affine point. − ( x 1 , y 1 ) = ( − x 1 , y 1 ) . (0 , − 1) has order 2 ; (1 , 0) and ( − 1 , 0) have order 4 . D. J. Bernstein & T. Lange & R. Rezaeian Farashahi cr.yp.to/papers.html#edwards2 – p. 3

  4. Relationship to Weierstrass form Every elliptic curve with point of order 4 is birationally equivalent to an Edwards curve. Let P 4 = ( u 4 , v 4 ) have order 4 and shift u s.t. 2 P 4 = (0 , 0) . Then Weierstrass form: v 2 = u 3 + ( v 2 4 − 2 u 4 ) u 2 + u 2 4 /u 2 4 u. Define d = 1 − (4 u 3 4 /v 2 4 ) . The coordinates x = v 4 u/ ( u 4 v ) , y = ( u − u 4 ) / ( u + u 4 ) satisfy x 2 + y 2 = 1 + dx 2 y 2 . Inverse map u = u 4 (1 + y ) / (1 − y ) , v = v 4 u/ ( u 4 x ) . Finitely many exceptional points. Exceptional points have v ( u + u 4 ) = 0 . Addition on Edwards and Weierstrass corresponds. D. J. Bernstein & T. Lange & R. Rezaeian Farashahi cr.yp.to/papers.html#edwards2 – p. 4

  5. Nice features of the addition law Neutral element of addition law is affine point, this avoids special routines (for (0 , 1) one of the inputs or the result). Addition law is symmetric in both inputs. � x 1 y 2 + y 1 x 2 , y 1 y 2 − x 1 x 2 � P + Q = . 1 + dx 1 x 2 y 1 y 2 1 − dx 1 x 2 y 1 y 2 D. J. Bernstein & T. Lange & R. Rezaeian Farashahi cr.yp.to/papers.html#edwards2 – p. 5

  6. Nice features of the addition law Neutral element of addition law is affine point, this avoids special routines (for (0 , 1) one of the inputs or the result). Addition law is symmetric in both inputs. � x 1 y 2 + y 1 x 2 , y 1 y 2 − x 1 x 2 � P + Q = . 1 + dx 1 x 2 y 1 y 2 1 − dx 1 x 2 y 1 y 2 � x 1 y 1 + y 1 x 1 , y 1 y 1 − x 1 x 1 � [2] P = . 1 + dx 1 x 1 y 1 y 1 1 − dx 1 x 1 y 1 y 1 D. J. Bernstein & T. Lange & R. Rezaeian Farashahi cr.yp.to/papers.html#edwards2 – p. 5

  7. Nice features of the addition law Neutral element of addition law is affine point, this avoids special routines (for (0 , 1) one of the inputs or the result). Addition law is symmetric in both inputs. � x 1 y 2 + y 1 x 2 , y 1 y 2 − x 1 x 2 � P + Q = . 1 + dx 1 x 2 y 1 y 2 1 − dx 1 x 2 y 1 y 2 � x 1 y 1 + y 1 x 1 , y 1 y 1 − x 1 x 1 � [2] P = . 1 + dx 1 x 1 y 1 y 1 1 − dx 1 x 1 y 1 y 1 No reason that the denominators should be 0 . Addition law produces correct result also for doubling. D. J. Bernstein & T. Lange & R. Rezaeian Farashahi cr.yp.to/papers.html#edwards2 – p. 5

  8. Nice features of the addition law Neutral element of addition law is affine point, this avoids special routines (for (0 , 1) one of the inputs or the result). Addition law is symmetric in both inputs. � x 1 y 2 + y 1 x 2 , y 1 y 2 − x 1 x 2 � P + Q = . 1 + dx 1 x 2 y 1 y 2 1 − dx 1 x 2 y 1 y 2 � x 1 y 1 + y 1 x 1 , y 1 y 1 − x 1 x 1 � [2] P = . 1 + dx 1 x 1 y 1 y 1 1 − dx 1 x 1 y 1 y 1 No reason that the denominators should be 0 . Addition law produces correct result also for doubling. Unified group operations! D. J. Bernstein & T. Lange & R. Rezaeian Farashahi cr.yp.to/papers.html#edwards2 – p. 5

  9. Complete addition law If d is not a square the denominators 1 + dx 1 x 2 y 1 y 2 and 1 − dx 1 x 2 y 1 y 2 are never 0 ; addition law is complete. Edwards addition law allows omitting all checks Neutral element is affine point on curve. Addition works to add P and P . Addition works to add P and − P . Addition just works to add P and any Q . Only complete addition law in the literature. No exceptional points, completely uniform group operations. Having addition law work for doubling removes some checks from the code and gives SCA protection (might leak Hamming weight, though). D. J. Bernstein & T. Lange & R. Rezaeian Farashahi cr.yp.to/papers.html#edwards2 – p. 6

  10. Fast addition law Very fast point addition 10M + 1S + 1D. (Even faster with Inverted Edwards coordinates.) Dedicated doubling formulas need only 3M + 4S. Fastest scalar multiplication in the literature. For comparison: IEEE standard P1363 provides “the fastest arithmetic on elliptic curves” by using Jacobian coordinates on Weierstrass curves. Point addition 12M + 4S. Doubling formulas need only 4M + 4S. For more curve shapes, better algorithms (even for Weierstrass curves) and many more operations (mixed addition, re-addition, tripling, scaling,. . . ) see www.hyperelliptic.org/EFD for the Explicit-Formulas Database. D. J. Bernstein & T. Lange & R. Rezaeian Farashahi cr.yp.to/papers.html#edwards2 – p. 7

  11. Edwards Curves – a new star(fish) is born lecture circuit: Hoboken Turku Warsaw Fort Meade, Maryland Melbourne Ottawa (SAC) Dublin (ECC) Bordeaux Bristol Magdeburg Seoul Malaysia (Asiacrypt) Madras Bangalore (AAECC) . . . D. J. Bernstein & T. Lange & R. Rezaeian Farashahi cr.yp.to/papers.html#edwards2 – p. 8 Washington (CHES)

  12. One year passes . . . . . . I feel so odd . . . D. J. Bernstein & T. Lange & R. Rezaeian Farashahi cr.yp.to/papers.html#edwards2 – p. 9

  13. Exceptions, 2 � = 0 . . . Even characteristic much more interesting for hardware . . . D. J. Bernstein & T. Lange & R. Rezaeian Farashahi cr.yp.to/papers.html#edwards2 – p. 10

  14. Exceptions, 2 � = 0 . . . Even characteristic much more interesting for hardware . . . and soon also in software, cf. Intel’s and Sun’s current announcements to include binary instructions. D. J. Bernstein & T. Lange & R. Rezaeian Farashahi cr.yp.to/papers.html#edwards2 – p. 10

  15. How to design a worthy binary partner? Our wish-list (early February 2008) after studying and experimenting with mostly small modifications of odd Edwards: A binary Edwards curve should be elliptic. look like an Edwards curve. have a complete addition law. cover most (all?) ordinary binary elliptic curves. have an easy to compute negation. have efficient doublings. have efficient additions. D. J. Bernstein & T. Lange & R. Rezaeian Farashahi cr.yp.to/papers.html#edwards2 – p. 11

  16. How to design a worthy binary partner? Our wish-list (early February 2008) after studying and experimenting with mostly small modifications of odd Edwards: A binary Edwards curve should be elliptic. look like an Edwards curve. have a complete addition law. cover most (all?) ordinary binary elliptic curves. have an easy to compute negation. have efficient doublings. have efficient additions. be found before the CHES deadline, February 29th. D. J. Bernstein & T. Lange & R. Rezaeian Farashahi cr.yp.to/papers.html#edwards2 – p. 11

  17. Binary Edwards curves Let d 1 � = 0 and d 2 � = d 2 1 + d 1 then E B ,d 1 ,d 2 : d 1 ( x + y ) + d 2 ( x 2 + y 2 ) = xy + xy ( x + y ) + x 2 y 2 , is a binary Edwards curve with parameters d 1 , d 2 . Map ( x, y ) �→ ( u, v ) defined by u = d 1 ( d 2 1 + d 1 + d 2 )( x + y ) / ( xy + d 1 ( x + y )) , v = d 1 ( d 2 1 + d 1 + d 2 )( x/ ( xy + d 1 ( x + y )) + d 1 + 1) is a birational equivalence from E B ,d 1 ,d 2 to the elliptic curve v 2 + uv = u 3 + ( d 2 1 + d 2 ) u 2 + d 4 1 ( d 4 1 + d 2 1 + d 2 2 ) , an ordinary elliptic curve in Weierstrass form. D. J. Bernstein & T. Lange & R. Rezaeian Farashahi cr.yp.to/papers.html#edwards2 – p. 12

  18. Properties of binary Edwards curves ( x 3 , y 3 ) = ( x 1 , y 1 ) + ( x 2 , y 2 ) with x 3 = d 1 ( x 1 + x 2 ) + d 2 ( x 1 + y 1 )( x 2 + y 2 ) + ( x 1 + x 2 1 )( x 2 ( y 1 + y 2 + 1) + y 1 y 2 ) , d 1 + ( x 1 + x 2 1 )( x 2 + y 2 ) y 3 = d 1 ( y 1 + y 2 ) + d 2 ( x 1 + y 1 )( x 2 + y 2 ) + ( y 1 + y 2 1 )( y 2 ( x 1 + x 2 + 1) + x 1 x 2 ) . d 1 + ( y 1 + y 2 1 )( x 2 + y 2 ) if denominators are nonzero. Neutral element is (0 , 0) ; again, this is an affine point. (1 , 1) has order 2 . − ( x, y ) = ( y, x ) . ( x 1 , y 1 ) + (1 , 1) = ( x 1 + 1 , y 1 + 1) . D. J. Bernstein & T. Lange & R. Rezaeian Farashahi cr.yp.to/papers.html#edwards2 – p. 13

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Binary Edwards Curves Daniel J. Bernstein Tanja Lange University of Illinois at Chicago and

Binary Edwards Curves Daniel J. Bernstein Tanja Lange University of Illinois at Chicago and

Binary Edwards Curves Daniel J. Bernstein Tanja Lange University of Illinois at Chicago and Technische Universiteit Eindhoven djb@cr.yp.to tanja@hyperelliptic.org 09.05.2008 joint work with Reza Rezaeian Farashahi, Eindhoven

571 views • 33 slides
Binary Edwards Curves Reza Rezaeian Farashahi Dept. of Mathematics and Computing Science TU

Binary Edwards Curves Reza Rezaeian Farashahi Dept. of Mathematics and Computing Science TU

Binary Edwards Curves Reza Rezaeian Farashahi Dept. of Mathematics and Computing Science TU Eindhoven joint work with: Dan Bernstein (University of Illinois at Chicago) Tanja Lange (TU Eindhoven) and ECC, Sep 24, 2008 ( Dept. of Mathematics

721 views • 47 slides
Edwards coordinates for elliptic curves, part 2 D. J. Bernstein University of Illinois at

Edwards coordinates for elliptic curves, part 2 D. J. Bernstein University of Illinois at

Edwards coordinates for elliptic curves, part 2 D. J. Bernstein University of Illinois at Chicago (Joint work with Tanja Lange) Cohen Schoof ECPC Lenstra ECM Miller Bosma Koblitz Goldwasser/Kilian ECC

294 views • 27 slides
Efficient Doubling on Genus Two Curves over Binary Fields (SAC 2004) Marc Stevens Tanja Lange

Efficient Doubling on Genus Two Curves over Binary Fields (SAC 2004) Marc Stevens Tanja Lange

Efficient Doubling on Genus Two Curves over Binary Fields (SAC 2004) Marc Stevens Tanja Lange Eindhoven University Ruhr-Universitt of Technology Bochum Overview Elliptic Curves Hyperelliptic Curves HEC of Genus 2

473 views • 33 slides
Edwards Curves and the ECM Factorisation Method Peter Birkner Eindhoven University of Technology

Edwards Curves and the ECM Factorisation Method Peter Birkner Eindhoven University of Technology

Edwards Curves and the ECM Factorisation Method Peter Birkner Eindhoven University of Technology CADO Workshop on Integer Factorization 7 October 2008 Joint work with Daniel J. Bernstein, Tanja Lange and Christiane Peters Paper at

1.02k views • 28 slides
Edwards Curves and the ECM Factorisation Method Peter Birkner Eindhoven University of Technology

Edwards Curves and the ECM Factorisation Method Peter Birkner Eindhoven University of Technology

Edwards Curves and the ECM Factorisation Method Peter Birkner Eindhoven University of Technology The 12th Workshop on Elliptic Curve Cryptography 22 September 2008 Joint work with Daniel J. Bernstein, Tanja Lange and Christiane Peters Paper

650 views • 27 slides
Using Modular Extension to Provably Protect Edwards Curves Against Fault Attacks Margaux

Using Modular Extension to Provably Protect Edwards Curves Against Fault Attacks Margaux

Using Modular Extension to Provably Protect Edwards Curves Against Fault Attacks Margaux Dugardin, Sylvain Guilley, Martin Moreau, Zakaria Najm, Pablo Rauzy PROOFS 2016 - Santa Barbara, CA Introduction Eve Communications Alice Bob Channel

726 views • 60 slides
Twisted Edwards curves D. J. Bernstein ( uic.edu ) Peter Birkner ( tue.nl ) Marc Joye ( thomson.net

Twisted Edwards curves D. J. Bernstein ( uic.edu ) Peter Birkner ( tue.nl ) Marc Joye ( thomson.net

Twisted Edwards curves D. J. Bernstein ( uic.edu ) Peter Birkner ( tue.nl ) Marc Joye ( thomson.net ) Tanja Lange ( tue.nl ) Christiane Peters ( tue.nl ) Thanks to: NSF ITR0716498 IST2002507932 ECRYPT INRIA Lorraine, LORIA Todays

190 views • 15 slides
Batch binary Edwards D. J. Bernstein University of Illinois at Chicago NSF ITR0716498 p

Batch binary Edwards D. J. Bernstein University of Illinois at Chicago NSF ITR0716498 p

Batch binary Edwards D. J. Bernstein University of Illinois at Chicago NSF ITR0716498 p index calculus Classic F needs to check smoothness < p . of many positive integers Smooth integer: integer > y . with no prime divisors y

475 views • 8 slides
Breaking 128 bit Secure Supersingular Binary Curves (or how to solve Discrete Logarithms in

Breaking 128 bit Secure Supersingular Binary Curves (or how to solve Discrete Logarithms in

Index Calculus Method Small char Finite Fields 9234 bits Impact on Pairings Breaking 128 bit Secure Supersingular Binary Curves (or how to solve Discrete Logarithms in F 2 4 1223 and F 2 12 367 ) Jens Zumbr agel Institute of

367 views • 32 slides
Edwards Coordinates for Elliptic Curves, part 1 Tanja Lange Technische Universiteit Eindhoven

Edwards Coordinates for Elliptic Curves, part 1 Tanja Lange Technische Universiteit Eindhoven

Edwards Coordinates for Elliptic Curves, part 1 Tanja Lange Technische Universiteit Eindhoven tanja@hyperelliptic.org joint work with Daniel J. Bernstein 10.11.2007 http://www.hyperelliptic.org/tanja/newelliptic/ Tanja Lange p. 1 Do

787 views • 51 slides
Recent Advances in Parallel Implementations of Scalar Multiplication over Binary Elliptic Curves

Recent Advances in Parallel Implementations of Scalar Multiplication over Binary Elliptic Curves

Recent Advances in Parallel Implementations of Scalar Multiplication over Binary Elliptic Curves C. Negre and J.M. Robert april 8, 2015 1 / 39 Outline Overview of elliptic curve cryptography 1 Implementation of F 2 m arithmetic 2 Elliptic

781 views • 75 slides
Finding Cryptographically Strong Elliptic Curves An Introduction Hamish Ivey-Law

Finding Cryptographically Strong Elliptic Curves An Introduction Hamish Ivey-Law

Outline Elliptic curve cryptography Secure domain parameters Case study: finding secure Edwards curves Finding Cryptographically Strong Elliptic Curves An Introduction Hamish Ivey-Law hlaw@iml.univ-mrs.fr Institute de Math ematiques de

662 views • 41 slides
Binary Numbers Binary numbers look like this Binary Numbers or Binary Code Binary numbers or

Binary Numbers Binary numbers look like this Binary Numbers or Binary Code Binary numbers or

Binary Numbers Binary numbers look like this Binary Numbers or Binary Code Binary numbers or binary code are used by computers and digital devices to talk to each other. It is used to give commands to the computer or a way to enter data

165 views • 12 slides
Today Edge detection and matching process the image gradient to find curves/contours

Today Edge detection and matching process the image gradient to find curves/contours

1/25/2017 Edges and Binary Image Analysis Thurs Jan 26 Kristen Grauman UT Austin Today Edge detection and matching process the image gradient to find curves/contours comparing contours Binary image analysis blobs and

976 views • 60 slides
On the Static Diffie-Hellman Problem on Elliptic Curves over Extension Fields Robert Granger

On the Static Diffie-Hellman Problem on Elliptic Curves over Extension Fields Robert Granger

Motivation - Exotic Security Assumptions in Cryptography Main Algorithm and Results Oracle-assisted Static DHP for binary curves On the Static Diffie-Hellman Problem on Elliptic Curves over Extension Fields Robert Granger

1.32k views • 105 slides
Motion of thin droplets over surfaces numerical and modeling techniques for moving contact lines

Motion of thin droplets over surfaces numerical and modeling techniques for moving contact lines

Weierstrass Institute for Applied Analysis and Stochastics Motion of thin droplets over surfaces numerical and modeling techniques for moving contact lines Dirk Peschka, Sebastian Jachalski, Barbara Wagner Stefan Bommer, Ralf Seemann, Georgy

740 views • 48 slides
Complexity of the Creative Telescoping for Bivariate Rational Functions Shaoshi Chen (joint work

Complexity of the Creative Telescoping for Bivariate Rational Functions Shaoshi Chen (joint work

1 / 29 Complexity of the Creative Telescoping for Bivariate Rational Functions Shaoshi Chen (joint work with Alin Bostan, Fr ed eric Chyzak & Ziming Li) Algorithms Project-Team, INRIA (France) KLMM, Chinese Academy of Sciences

504 views • 29 slides
Differential Equations for Algebraic Functions Bruno Salvy Bruno.Salvy@inria.fr Algorithms

Differential Equations for Algebraic Functions Bruno Salvy Bruno.Salvy@inria.fr Algorithms

Introduction Algorithms Bounds Conclusion Differential Equations for Algebraic Functions Bruno Salvy Bruno.Salvy@inria.fr Algorithms Project, Inria Joint work with A. Bostan, F. Chyzak, G. Lecerf & E. Schost 1 / 23 Bruno Salvy

533 views • 30 slides
Leveraging Intermediate Forms for Analysis Andrew Reiter, Ayal Spitz and Jared Carlson Veracode

Leveraging Intermediate Forms for Analysis Andrew Reiter, Ayal Spitz and Jared Carlson Veracode

Leveraging Intermediate Forms for Analysis Andrew Reiter, Ayal Spitz and Jared Carlson Veracode Research Intrepid Pursuits Analysis via Formal Methods What are Formal Methods? Why should they be used? Who should be using them? FM &

759 views • 48 slides
HumanDetection GregMori CMPT888 Outline Humandetectioninimages

HumanDetection GregMori CMPT888 Outline Humandetectioninimages

HumanDetection GregMori CMPT888 Outline Humandetectioninimages HistogramsofOrientedGradients(HOG) DalalandTriggsCVPR2005 LatentSVM(LSVM)

974 views • 66 slides
Equations d evolution et calcul diff erentiel non commutatifs. Non-commutative

Equations d evolution et calcul diff erentiel non commutatifs. Non-commutative

Equations d evolution et calcul diff erentiel non commutatifs. Non-commutative differential equations and systems of coordinates on (some) infinite dimensional Lie Groups. V.C. B` ui, Matthieu Deneufch atel,G.H.E. Duchamp,

552 views • 38 slides
A Logical Account for Linear Partial Differential Equations Marie Kerjean IRIF, Universit e

A Logical Account for Linear Partial Differential Equations Marie Kerjean IRIF, Universit e

LICS 2018, Oxford A Logical Account for Linear Partial Differential Equations Marie Kerjean IRIF, Universit e Paris Diderot kerjean@irif.fr 1/ 19 Linear Logic is about joining Logic and Algebra. Differential Linear Logic is about joining

502 views • 37 slides
Numerical Solutions to Partial Differential Equations Zhiping Li LMAM and School of Mathematical

Numerical Solutions to Partial Differential Equations Zhiping Li LMAM and School of Mathematical

Numerical Solutions to Partial Differential Equations Zhiping Li LMAM and School of Mathematical Sciences Peking University Numerical Methods for Partial Differential Equations Finite Difference Methods for Elliptic Equations Finite

1.03k views • 39 slides

More recommend